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The three-judges protocol, recently advocated by Mclver and Morgan as an example of stepwise re- 
finement of security protocols, studies how to securely compute the majority function to reach a final 
verdict without revealing each individual judge's decision. We extend their protocol in two different 
ways for an arbitrary number of 2n + 1 judges. The first generalisation is inherently centralised, in the 
sense that it requires a judge as a leader who collects information from others, computes the majority 
function, and announces the final result. A different approach can be obtained by slightly modifying 
the well-known dining cryptographers protocol, however it reveals the number of votes rather than 
the final verdict. We define a notion of conditional anonymity in order to analyse these two solutions. 
Both of them have been checked in the model checker MCMAS. 

1 Introduction 

With the growth and commercialisation of the Internet, users become more and more concerned about 
their anonymity and privacy in the digital world. Anonymity is the property of keeping secret the identity 
of the user who has performed a certain action. The need for anonymity arises in a variety of situations, 
from anonymous communications, electronic voting, and donations to postings on electronic forums. 

Anonymity (untraceability) was first proposed by Chaum (8 ] in his famous dinning cryptographers 
protocol (DCP). After that, a great deal of research has been carried out on this topic and various for- 
mal definitions and frameworks for analysing anonymity have been developed in the literature. For 
example, Schneider and Sidiropoulos analysed anonymity with CSP |[25l . They used substitution and 
observable equivalence to define anonymity in CSP. In their framework, the automatic tool FDR ETTl 
was used to check the equivalence of two processes. Kremer and Ryan fT9| analysed the F0092 voting 
protocol with the applied pi calculus and proved that it satisfies anonymity partially with an automated 
tool ProVerif flU. Chothia et al. iflOl proposed a general framework based on the process algebraic 
verification tool /xCRL (H for checking anonymity. Anonymity can be captured in a more straight- 
forward way in epistemic logics, in terms of agents' knowledge, and model checkers for epistemic 
logics, such as MCK (27J, LYS (H and MCMAS (201, have been applied to DCP. Other works, in- 
cluding |[T6l[T8l l3l [121171. have considered probabilistic anonymity. 

In all aforementioned works, DCP has been taken as a running example. DCP is a method of anony- 
mous communication, in that it allows for any member of a group to multicast data to other members 
of the group, meanwhile it guarantees sender anonymity. In DCP, all participants first set up pairwise 
shared secrets using secret channels, then each participant announces a one-bit message. If a participant 
does not want to send a message, the one-bit message is the XOR of all shared one-bit secrets that he 
owns. Otherwise, he announces the opposite. In order to achieve unconditional anonymity, the protocol 
requires secret channels, which is difficult to achieve in practice. Despite its simplicity and elegance, 
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DCP has been criticised for its efficiency and its vulnerability to malicious attacks. Several methods, 
such as |29l [151 . have been proposed to fix these problems, but they all make the protocol much more 
complex. Notably, Hao and Zieliriski (T7\ recently presented anonymous veto networks to solve DCP 
efficiently, which only requires two rounds of broadcast. While the original solution of Chaum [8] is un- 
conditionally secure, the solutions proposed in |[29l [151 [171 are computationally secure, as their security 
is based on the assumption of the intractability of some well-known NP problems. 

In essence, DCP implements a secure computation of the boolean OR function from all participants 
(which inherently assumes that at most one participant holds the boolean value 1), while the individual 
input bit is kept privacy. A general problem is to compute the fuction F(x\,X2, ■ ■ ■ ,x n ) without revealing 
any individual's %{. The three -judges protocol, recently advocated by Mclver and Morgan l22l as an 
example of stepwise refinement of security protocols, computes the majority function F(xi,X2,x^) out 
of three booleans xt with i £ {1,2,3} to reach a final verdict without revealing each individual judge's 
decision Mclver and Morgan's protocol relies on the l-out-of-2 oblivious transfer by Rivest ll24l 
and all communications in the protocol are public. At the end of the protocol all three judges know the 
majority verdict, but no one knows more than their own judgement. More details about this protocol can 
be found in Section |2 

In our point of view, the three-judges protocol can be regarded as another standard example for 
formal definition and analysis of anonymity. Unlike DCP, the three-judges protocol securely computes 
a majority function rather than the boolean OR function, which actually gives rise to some difficulties 
when we generalise Mclver and Morgan's solution for an arbitrary number of 2n + 1 judges in Section[3] 
Our first generalisation is centralised, in the sense that it requires one judge as a leader of the group. 
The leader collects information from others, computes the majority function, and then announces the 
final result. As the leader plays a quite distinct role from the other judges in the protocol, in certain 
situations he may know more than necessary due to the asymmetric design of the protocol. A second 
solution is obtained by slightly modifying the dining cryptographers protocol which is thus inherently 
symmetric (see Section[4]). However, this solution reveals the number of votes (for 'guilty') rather than 
the final verdict. Therefore, both of the two presented solutions in the paper are imperfect, anonymity for 
judges are conditional in the sense that in certain scenarios their decisions are allowed to be deduced. A 
formalisation of conditional anonymity in a temporal epistemic logic is given in Section[5l which is based 
on a formal description of the interpreted system model lfl4l . In Section [6l both solutions are modelled 
and checked in MCMAS |[20l . a model checker for verification of multi-agent systems. In the end, we 
discuss other possible (computational) solutions and conclude the paper with future works in Section |7J 

2 Description of The Three- Judges Protocol 

In this section we present the three-judges protocol due to Mclver and Morgan [22]. Three honest but 
curious judges communicate over the internet to reach a verdict by majority, and the final verdict is 
'guilty' if and only if there are at least two judges holding a decision ' guilty 'H However, once the 
verdict is announced, each judge is allowed to deduce no more information than his own decision as well 
as the published verdict. To this point, we write Jj with i € {0, 1,2} for judge i, with dt taking value 
from {0,1} for 7,'s private decision, where '1' denotes 'guilty' and '0' denotes 'innocent'. We write 
: {0, 1}" — > {0, 1} for the majority function out of n boolean variables. 

1 The example is taken from a talk by Mclver and Morgan, entitled "Sheherazades Tale of the Three Judges: An example of 
stepwise development of security protocols". 

An honest judge follows the protocol strictly, but he is also curious to find out the other judges' decisions. 
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One may find that the anonymity security requirement for the three-judges protocol is not as straight- 
forward as what is in the (three) dining cryptographers protocol (DCP). For instance, it is not necessarily 
the case that J\ 's decision is always kept secret to J2, typically if d2 = and F^(di,d2,d3) = 1. 



2.1 Oblivious Transfer 

Mclver-Morgan's solution to the three-judges problem applies Rivest's l-out-of-2 oblvious transfer pro- 
tocol (OT) IT241 . OT guarantees unconditional security, but it needs private channels and a 'trusted ini- 
tialiser'. We briefly describe the protocol as follows. The scenario has three parties Alice (A), Bob (B) 
and a Trusted Initialiser (T), where Alice owns messages mo, m\, and Bob will obtain m c with c € {0, 1} 
from Alice in a way that the value c remains secret. It is assumed that there are private channels es- 
tablished between A, B and T, the operator 'ffi' is 'exclusive or', and messages wio,»ii are bit strings of 
length k, i.e., mo, mi G {0, l} k . The protocol proceeds as below. 

1. T => A and T =>> B, with r ,n G {0, 1}* and d G {0, 1}. 

2. B =^> A with e = c ffi d, 

3. A 5 where / = m © r e , /1 = m\ © n_ e . 

In the end, it is verifiable that Bob is able to compute m c = f c © r^H The extended version for 1-out-of-n 
oblivious transfer based on this protocol is straightforward |24l . 



2.2 The Mclver-Morgan's Protocol 

A solution to solve three-judges protocol has been proposed by Mclver and Morgan |[22l . We rephrase 
their protocol in this section. For notational convenience, we replace judges J\, J2 and J3 by A, B and C 
respectively, with their decisions a, b and c. l-out-of-2 Oblivious transfer (OT) is treated as a primitive 

x/y 

operation, so that A B means A sends either x or y to B in the way of OT (i.e., B is to choose a value 
out of x and y). The protocol can be presented as follows, where 'ffi' is 'exclusive or', ':=' denotes 
variable definition, and '=' denotes logical equivalence. 

1. B generates b A and b' A satisfying b A ©Z/ A = b. 

1 u b ^M^u rvr .u f b A if c = 1 ' 

2. B =^> C by OT, then c A :— 



5 A if c = 0. 

3. B generates by and &' v satisfying by © ft' v = -ifc. 

a u h l& /-u rvr ,u / if C=l, 

4. S ^> C by OT, then c v := < , , . x 

[ Oy if C = 0. 

, . , , c A /c v f Z? A © C A if <3 = 1 , 

5. B ^> A by OT, and C A by OT, then A announces: < , .. 

J J 1 ^(byBCy) if a = 0. 



3 The essential idea of this protocol is that after T generates two keys rQ and r\, both keys are sent to A and only one key 
is sent to B in a randomized way. Then B can let A encrypt her messages in the 'correct' message-key combination such that 
B can successfully retrieve m c after A sends both encrypted messages to B. Since the key sent to B is chosen by T, A has no 
way to deduce which message is actually decrypted by B, and since B obtains only one key he knows nothing about the other 
message, and since T quits after the first step he knows nothing about both messages. 
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In this protocol, A only needs to know the result b Ac (i.e., whether the other judges have both voted 
for 'guilty') if he is holding a decision 'innocent', or b Vc (i.e., whether at least one of the other judges 
has voted for 'guilty') if he is holding 'guilty'. The rest of the protocol is focused on how to generate 
two bits b A and c A satisfying b A © c A =b Ac, and two bits by and c v satisfying by © c v = ->(b V c), in a 
way that the individual values of Z? and c are hidden. Both constructions rely on the primitive operation 
OT. In the case of b A c, first we know that the value of b A and b' A are both independent of b. If c = 1 
then (b Ac) = b, therefore C needs to get b' A to ensure b A Ac A =b. If c = then we have (b Ac) = 0, 
for which C ensures b A A c A = by letting c A =6aO Oblivious transfer ensures that B does not know c 
since whether & A or b' A being transferred to C is up to the value of c. The construction of -<(b V c) can be 
done in a similar way. 

The anonymity requirement for this protocol depends on the actual observations of each judge. Su- 
perficially, if a judge's decision differs from the final verdict, then he is able to deduce that both other 
judges are holding a decision different from his. Therefore, we may informally state anonymity for 
the case of three judges as that each judge is not allowed to know the other judge's decisions provided 
that the final verdict coincides his own decision. We will present a generalised definition of anonymity 
requirement for 2n + 1 judges in Section [5] 

3 A Generalisation of Mclver-Morgan's Solution 

As described in Mclver-Morgan's solution for three judges, judge A can be regarded as in the leading 
role of the whole protocol, who collects either b A c or b V c based on his own decision. (To be precise, 
A picks up b A c if a = 0, or b V c if a = 1.) Based on this observation, it is therefore conceivable to 
have a protocol in which one judge takes the lead, and the other judges only need to send their decisions 
to the leader in an anonymous way. However, it is not quite clear so far to us that this pattern yields a 
satisfactorily anonymous protocol when there are more than three judges. In this section, we present a 
protocol which guarantees only a limited degree of anonymity. 

S uppose we have j udges 7o, 7i , . . . , Jm with their decisions do , d\ , . . . , di n . Without loss of generality, 
we let Jq be the leader. We then group the rest 2n judges into n pairs, for example, in the way of 
(7i,7z), (73,74), . . . , (72n-i,72„). Now the similar procedure described in Mclver-Morgan's solution can 
be used to generate d2/-i /\d%i and du-\ V ' du for all 1 < i < «J1 We first illustrate our solution in the case 
of five judges. Suppose judge 7o's decision do is 1, then 7o needs to know for the other four judges if 
at least two are holding 'guilty'. Superficially, he may poll one of the two formulas d\ A di and d^ A d%. 
If one of the two is true then he knows the verdict is 1 (for 'guilty'). However, both formulas are only 
sufficient but not necessary for the final verdict to be true. The formula equivalent to the statement 
"whether at least two judges are holding 'guilty'" is <p? = (d\ A^) V (d?, Adu) V ((d\ V d<i) A (J3 A<4)), 

x 

where we use <p for a boolean formula on decisions of y judges with at least x judges having their 
decision 1. Similarly, if do is 0, 7o needs to know whether there are at least three out of four judges 
deciding on 'guilty', which can be stated as (d\ Ac?2 A J3) V {d\ Adi Ad<±) V {d\ Adj, Ad$) V (c?2 A^3 Ad^). 

3 

After a simple translation, we get an equivalent formula 94 = (d\ V (I2) A (d?> V d^) A A dz) V (J3 V 

2 

^4)), which is just <p? with all the conjunction operators 'A's flipped to 'V's, and all the disjunction 
operators 'V's flipped to 'A's. Overall we have the following proposition. 

4 However, revealing both b A and b' h will let C uniquely determine the value of b. 

5 To be more precise, each Jn- \ first generates j and j , then ]qx generates d^s and dX: based on du and using OT, so 

that d 2i -i Ad 2i = d^_ x ®d^ and d 2i -i Vd 2i = 
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(1 < i < In) 

Figure 1: A generalisation of Mclver-Morgan's judges protocol. 

Proposition 3.1 The formulas <pT^ and q>%~< can be constructed by a finite number of conjunctions 
and/or disjunctions from the set of formulas {d2i-\ Afi?2,}i< ; <n U {(fe-i V d2i\\<i< n - 

Intuitively, since revealing both du-\ /\dzi and c?2i— l V^2i gives Jq the actual number of judges in 
{/2/-i)^2i} who has voted for 'guilty' (plainly, a value in {0, 1,2}), he will have enough information to 
deduce the exact number of judges who has voted 'guilty' out of 2n in total. The general protocol for 
2n + 1 judges is illustrated in FigureQ] the lines between judges indicate communications. An undesirable 
consequence of this generalisation is that for each pair of judges J%-\ and J2U if <fe-i = d% then (fe-i 
and d2i are both revealed to Jq. 

4 A DCP-Based Solution 

In this section, we describe a symmetric solution for computing the majority function based on 
In DCP, three or more cryptographers sitting in a circle cooperate to make sure that the occurrence of 
a certain action, i.e. sending a message, is made known to everyone, while the cryptographer who has 
actually performed the action remains anonymous. They achieve this goal by executing an algorithm 
which involves coin toss. Each neighbouring pair of cryptographers generates a shared bit, by flipping 
a coin; then each cryptographer computes the XOR of the two bits shared with the neighbours, then 
announces the result - or the opposite result, if that cryptographer wants to perform the action. The 
XOR of the publicly announced results indicates whether such an action has been made. In the end no 
individual cryptographer knows who has reported the opposite result. 



6 This extension to DCP seems to already exist in the literature. The description closest to ours can be found in 1291 . Caroll 
Morgan also suggests this solution independently from us. 
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To extend the DCP technique for 2n + l judges protocol, we require each neighbouring pair of judges 
(/,-,/,+ 1) with i € {0, . . . ,2n + 1}0 in a ring (see Figure [2]) shares one secret 6 {0, 1, . . . ,2n + 1}. Sj is 
used with sign "+" by with sign "-" by Each judge adds his decision di € {0, 1} and the sum of 
his two secrets and s,) with the appropriate signs, and announces the result (j; — + di)\ 2n +2- All 
judges then add up the announced numbers (modulo 2n + 2). It is easy to see that each secret 57 has been 
added and subtracted exactly once, the final sum is just the number of judges who have voted for 'guilty', 
i.e. (Yjlo( s i ~ s i-i +^f')|2rc+2)|2rc+2 = L?=o^'- Unlike the solution in the previous section where only the 
majority of decisions is made public, the number of votes are known to every judge in this symmetric 
solution where no central leader is needed. This gives rise to possible attacks, for instance, the coalition 
of a group of judges might find out the decisions made by the rest of judges, if the final sum corresponds 
to the sum of their votes. 



Jo, do 



hn- 




J i , dj 



Figure 2: A DCP based solution to the judges protocol. 



5 Formalising Anonymity 

Sometimes functionality and anonymity are seemingly contradicting requirements. For example, in the 
case of three judges, if one judge discovers that his decision is different from the final verdict, he will 
immediately know that both other judges have cast a vote that is different from his in the current run. 
This is why anonymity requirement needs to be specified conditional to the result of each particular run. 
In other words, an anonymity specification must be made consistent to what a judge is legally allowed to 
knowjfl 

Since all the judges are honest, they make their decisions before a protocol starts. Let 3%(P) be the 
set of runs generated by a protocol P, and for each r G M{P), we write r{di) for 7,'s decision and r(v) for 

7 Implicitly, the indices are taken modulo 2n + 2 (or a number bigger than 2n + 1). 

8 We are aware of existing works on measuring information leakage, most of them are developed in a probabilistic setting. 
Instead, we aim to formalise a notion of conditional anonymity within an epistemic framework. 
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the final verdict in r. Anonymity can be defined in terms of compatibility. For example, the anonymity 
property for protocol P of three judges can be stated as for all judges 7,- and Jj with /, j £ {0,1,2}, i ^ j 
and d, / v, and for all runs r £ M(P), there exists r' £ M(P) such that r{dj) / r'(dj), r(di) = r'(di), 
r(v) = r'(v), and that i cannot tell the difference between r and r'. Intuitively, this means that given a run 
r for i, if r(dj) is compatible with both Vs decision and the final verdict, then the negation of r(dj) must 
also be compatible with i's observation over r. We will show how to generalise this definition by means 
of temporal and epistemic logic based specifications. In addition, a protocol P for computing majority 
of n judges is said to be functionally correct if in the end of r we have r(v) = F^(r(di),r(d2), ■ ■ .,r(d n )) 
for all runs r£gg(P). 

5.1 Interpreted System Model 

To this point we present a formal description of the underlying model which follows the standard in- 
terpreted system framework of Fagin et al. CPA , where there is a finite set of agents 1,2, ... ,n and a 
finite set of atomic formulas Prop. The execution of a protocol is modelled as a finite transition system 
(S,/,ACr,{^}i i ... i(1 ,^T), where 

• S is a finite set of states, 

• / C S is a set of initial states, 

• ACT is a finite set of joint actions, 

• &i is the observation function of agent i, such that &i(s) is the i observable part of a state s € 5, 

• K : S — > S?(Prop) is an interpretation function, 

• t:Sx ACT — > ^(S) is an evolution (or transition) function. 

A global state is a cartesian product of the local states of the agents as well as that of the environment, 
i.e., S = S[ x ^2 x . . . x S„ x S e . Similarly, we have I = I\ x . . . x /„ X I e , and ACT = ACT\ x ACT2 x . . . x 
ACT,, x ACT e . We write s(i) and a(i) for the i-th part of a state s and an action a, respectively. An agent 
i is allowed to observe his local state as well as part of the environment state. The local protocol P, for 
agent i is a function of type Si — > &(ACTj), mapping local states of agent i to sets of performable actions 
in ACTj. A protocol P e for the environment e is of type S e — > S?(ACT e ). A run r is a sequence sqS\S2 ■ ■ ., 
satisfying that there exists a £ ACT such that a m (i) £ Pj(s m (i)) and s m £ x(s m -i,a) for all agents i and 
m £ N. Each transition requires simultaneous inputs from all agents in the system, and during each 
transition system time is updated by one. For each run r, (r,m) denotes the m-th state in r where m £ N. 
In general, a protocol P is a collection of all agents local protocols, i.e., P = {P}i e {i n} U {Pe}, and 
M{P) is the set of generated runs when the agents execute their local protocols together with P e . 

Anonymity requirements can be defined by temporal and epistemic logic in an interpreted system as 
generated from a protocol. The formulas are defined in the following language, where each propositional 
formula p £ Prop and i denotes an agentJl 

0, y/ ■= p I -,0 I a y/ I K$ I EX<$> \ EG<$> \ E(<$> Uy) 

The epistemic accessibility relation ~,- for agent i is defined as s ~; t iff 0i(s) = &\(t). We do not 
define group knowledge, distributed knowledge and common knowledge in this paper since in this case 
study knowledge modality K suffices our purpose, and also because the judges are honest and they do not 



9 This language can be regarded as a sub-logic used in the model checker MCMAS (20} . 
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collude to cheat (e.g., by combining their knowledge). The temporal fragment of the language follows 
standard CTL (computational tree logic) lfT3~1 . and the semantics of the our formulas are presented as 
follows. 

• s \= piff p £ n(s), 

• s\=^(j) iff 5 ^ 0, 

• s \= <j) Ay iff s \= (j) and s \= y, 

• .v |= Kj(j) iff s' \= <f> for all s' with s ~,- s', 

• s |= EX(p iff there exists a run r such that (r,0) = s and (r, 1) \=<j>, 

• s \= EG(j) iff there exists a run r such that (r,0) = s and (r,m) |= for all m € N, 

• s \= E((j) Uy) iff there exists a run r such that (r,0) = s, and there is m € N satisfying (r,m) |= y 
and (r,m') |= for all < m' < m. 

The other standard CTL modalities not appearing in our syntax include AX, EF, AF, AG and AU, as 
they are all expressible by the existing temporal modalities. Similar argument holds for the propositional 
logic connectives V and =>. For example, we have EF(j) iff E[true U<p), AFip iff -^EG^ty, and AGip iff 
-<EF^<p, where true = A ->p) for some p £ Prop. 

5.2 Conditional Anonymity 

We assume that each judge /, makes his decision di at the beginning of a protocol execution, and 
v€ {1,0,1} denotes the final verdict indicating whether there are at least half of the judges have voted 
for 'guilty', in particular v = _L denotes that the final verdict is yet to be announced. The functional- 
ity of the protocol can also be verified by checking if every judge eventually knows the final verdict 
as F^" +1 (g?o,^2, • ■ • ,d2n) for 2n + 1 judges. Note here v is defined as a three-value variable. As we 
have informally discussed at the beginning of the section, a judge's protocol P satisfies functionality, 
if the system generated by P satisfies the formula AF(v = F% 1+ (do,di,...,d2 n )), which is essentially 
a liveness requirement. In our actual verification in MCMAS, we release our condition to the formula 
A;e{i n}AF(Ki(y = 1) V^T,-(v = 0)), provided that the protocol ensures that v always gets the correct 
majority result. The anonymity requirements to be discussed in the following paragraph are in general 
based on the fulfilment of functionality of a protocol. Our epistemic accessability relation ~, is defined 
as s ~, t iff &i(s) = &i(t), where the observation function &i(s) gives judge i only the values of v and di 
at state s. 

The definition of anonymity is more elaborated for the judges protocols, since sometimes it is impos- 
sible to prevent a judge from deducing the other judges' decisions by knowing the final verdict together 
with recalling his own decision, as we have already discussed above in the case of three judges. Formally, 
we define conditional anonymity in the form of 

AG(<pij => {pKiidj = 1) A ^Ki(dj = 0))) 

for all judges i ^ j, i.e., judge i does not know judge fs decision conditional to the formula In our 
protocol analyses in Section [6l we derive particular conditional anonymity requirements to serve in each 
different scenario. The following paragraphs present the strongest notions of anonymity that are not to 
be applied in the protocol analyses for more than three judges in Section [6] However, we believe they 
are of theoretical importance to be connected with other definitions of anonymity in the literature (such 
as El). 
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Perfect individual anonymity. Here we present an anonymity definition which requires that every 
judge J{ is not allowed to deduce the decisions of every other judge Jj in a run, if J/s decisions as '1' 
and '0' are both compatible with the final verdict v as well as z's local decision dj. Note that this notion 
is essentially what we have presented as compatibility based anonymity at the beginning of the section. 
Formally, a protocol P satisfies perfect individual anonymity, if the system generated by P satisfies that 
for all judges i,j £ {0, . . . ,2n} with i / j, if the value of dj cannot be derived from d\ and v, then it 
cannot be deduced by /; at any time during a protocol execution, i.e., 

j\ AG(p(i,j,v) {^Kj(dj = 0) A -.Kiidj = 1))) 

(Je{0,l,...,2n} 

where (j) c (di,dj,v) denotes the compatibility between the decisions dj, dj and the final verdict v, which 
can be formally defined as that there exist boolean values vo,v' ,v\,v\ ■ ■■,V2 n ,v 2n € {0,1} satisfying 
V/ = v- = d h vj = -iv'j = dj and F% +1 (v , Vi ,...,v 2 „) = F% +1 (v' Q ,v[,..., v' 2n ) = v. In our verification, 
this formula is usually split into separate subformulas for each pair of judges. For example, in the case 
of three judges, we specify AG((v = do) =>■ (-^oO^i = 0) A ^Ko{d\ = 1))) forjudges Jq and J\, and the 
other five formulas (by other ways of taking distinct i, j out of {0, 1 , 2}) can be specified in a similar way. 

Equivalently, this specification can also be understood as if both and 1 are possible for dj from the 
values of dj and v, then both and 1 are deemed possible by /, throughout the protocol execution. As the 
possibility modality Pi is defined as Pj(p iff ^Kj(-<(p), we can rewrite the condition in terms of possibility 
similar to what is defined by Halpern and O'Neill |fl6l . For example, the above can also be restated as 

/\ AG(<p c (i,j,v) =^Pi(dj = b)). 

i,je{o,\ 2«},fee{o,i} 

Total anonymity. It is also possible to define an even stronger notion of anonymity. Let a decision 
profile of size n be a member of the set {0, 1}", and write d(i) for the i-th member of a decision profile 
d for < i < n — 1. Intuitively, a decision profile is a vector consisting of all judges' decisions. We 
overload the equivalence operator '=' by defining the equality (do,d\,.. = d for decision profile 

d of size n holds iff di = d(i) for all i, i.e., the judges decisions do,d\, . . .d n as a vector is equivalent to 
the decision profile d. A protocol P satisfies total anonymity, if the following is satisfied, 

f\ AG((d(i) = dt A F% + 1 ( d(0) , d{ 1 ) , . . . , d(2n + 1 ) ) = v) =j- Pi((d , d 1 , . . . d ln ) = d) ) . 

ie{o,i,...,2n}//e{i,o} 2 "+ 1 

That is, every judge cannot rule out every possible combination of decisions that is compatible with his 
own decision and the final verdict. It is obvious that total anonymity and perfect individual anonymity 
are the same in the case of three judges, but total anonymity is strictly stronger than perfect individual 
anonymity when there are more than three judges. This notion can be shown as a special case of total 
anonymity of Halpern and O'Neill ifToll . 

We show that total anonymity is strictly stronger than perfect individual anonymity when there are 
five or more judges. Suppose there is a protocol P' for five judges where the decisions of Jq, J\ , J2, J3, J4 
are do,d\,d2,d3,d4, respectively. Assuming that the protocol is almost perfect, in the sense that /, knows 
only the final verdict and his own decision throughout the protocol executions for all i with i G {1,2,3,4}, 
but in the end Jq knows in addition whether or not there are at least three other judges have voted for 
guilty. Protocol P' satisfies perfect individual anonymity, since for all i,j G {1,2,3,4,5}, 7,- considers 
both dj = 1 and dj = possible if i ^ j. However, P' does not satisfy total anonymity, because if the final 
verdict is guilty, do = 1, and 7o knows there are less than three other judges who have voted for guilty, 
(1,1,1,1,1) is not a deicision profile compatible with Jo's observation in this run. 
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6 Automatic Analysis in MCMAS 

We have modelled and checked the above two solutions in MCMAS ll20l . which is a symbolic model 
checker supporting specifications in an extension of CTL (computational tree logic) with epistemic 
modalities, including the modality K. All anonymity properties we are interested in have the form of 
conditional anonymity AG((j) => ~-K;(p) (see Section l572l >. where <p typically represents the final outcome 
of a protocol and/or what the individual decision of 7, and K{(p represents the knowledge of 7, (K{(p means 
"agent i knows <p"). 

The input language ISPL (Interpreted Systems Programming Language) of MCMAS supports mod- 
ular representation of agent-based systems. An ISPL agent is described by giving the agents' possible 
local states, their actions, protocols, and local evolution functions. An ISPL file also defines the initial 
states, fairness constraints, and properties to be checked. The interpretation for the propositional atoms 
used in the properties can also be given. The semantics of an ISPL file is an interpreted system, upon 
which interesting properties are defined as well. (Details about MCMAS and ISPL can be found in 11201 .) 
How we model the two solutions to the judges problem in ISPL is out of the scope of the current paper. 
Instead, we focus on the anonymity properties and their model checking results in MCMAS. Function- 
ality properties can be simply checked by comparing all individual judge's decision and the final verdict 
of the protocol. 

Analysis of anonymity properties in the centralised solution. Due to the different roles an agent can 
play, either the leader or not, we define a conditional anonymity property for judges in a different way. 
For any 7, (i ^ 0) who is not the leader, it should be the case that he does not know anything about any 
other judge's decision. This is formalised as a logic formula AG(^Kj(dj = 1) A -*Ki(dj = 0)) with i ^ j. 
Ideally, this formula should also hold for To as well, who plays the lead role. However, this is not the 
case, as Jq collects the bits d^-l' d 2i _ { , d 2i , d^ from every pair of judges (J 2 i-i,J 2 i) (1 < i < n). If both 
72/- 1 and 72,- have made the same decision d?i \ = d 2 u the leader 7o would find it out by simply checking 
the values of d%-\ l\du-\ and c?2;-i Vcfe-iO Hence, for 7o, the anonymity property is formalised as a 
logic formula 

AG{{d 2i -i ± d 2i ) => ^K (d 2i -i = 0) A ^K (d 2i -i = 1) A ^K (d 2i = 0) A ^K (d 2i = 1))) 

by excluding the above situations from the premise. 

In case of a protocol with more than or equal to 5 judges, both properties are checked to hold in 
MCMAS. A protocol with three judges is a special case. First, it is not necessary for the leader 7o to 
obtain all dy, d\, d£, d\ as seen in Section [2721 Second, if one of the judge's decision di is 'guilty' 
('innocent') and the final verdict v is 'innocent' ('guilty'), then this judge can find out that the other two 
judges have voted for 'innocent' ('guilty'). Hence, we need a different formalisation 

/\ AG((v = di) ^Ki(dj = 0) A ^K t {dj = 1))). 

Analysis of anonymity properties in the DCP-based solution. In the DCP-based solution, the final 
verdict v is the number of votes for 'guilty'. As discussed in Section 15721 the definition of anonymity has 
to take care of the possibility that a judge can deduce the other judges' decisions from the final verdict 



Both dai-\ Adxi-i and c^i-l V 'cfei'-l are true, if d2;'_l = dn = 1; both ^2i-l A^2;-l and dn-\ V ^21-1 are false, if rf2;'_l = 
d 2i = 0. 
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The centralised solution 


The DCP-based solution 


reachable states 


BDD memory (MB) 


reachable states 


BDD memory (MB) 


3 judges 


184 


4.90 


95,972 


5.70 


5 judges 


5,568 


5.10 


1.43 x10 s 


55.00 



together with his own decision. For example, if the final verdict is In + 1 (or 0), then it should be the case 
that every judge has voted for 'guilty' ('innocent'). Another situation is that if the final verdict is 2n (or 
1), and one judge's decision is 'innocent' (or 'guilty'), then this judge can know that every other judge's 
decision is 'guilty' (or 'innocent' )0 Hence, for the DCP-based protocols anonymity is formalised as 

f\ AG(((1 < v < In) V (v = 1 Adi = 0) V (v = In Ad t = 1)) =>• (->Ki(dj = 0) A -iK^dj = 1))). 

¥J 

Summary of verification results in MCMAS. All aforementioned conditional anonymity properties 
have been checked successfully on instances of the two solutions with three or five judges, respectively. 
Table [6] summarizes the statics in MCMAS (version 0.9.8.1). The large increase in states and BDD 
memory consumption in the case of DCP-based protocols is due to the use of arithmetic operations. 
Extending the models for more judges is an interesting exercise in MCMAS, but it is not the focus of the 
current paper. 

7 Discussion and Future Work 

In the current paper, we have presented two solutions to the judges problem to compute a majority 
function securely. One solution is based on the original proposal by Mclver and Morgan |[22l using 
oblivious transfer, the other is an extension of the DCP |8) for compute the sum of the judges' decisions. 
Both are imperfect in the sense that judges are not unconditionally anonymous, some of judges can 
obtain more information than their own decisions. This has been captured by our notion of conditional 
anonymity and confirmed by the automatic analysis in a model checker. 

In the literature, the question about secure multi-party computation was originally suggested by 
Yao POl . with which he presented the millionaires problem. The problem can be stated as that two 
millionaires want to find out who is richer without revealing the precise amount of their wealth. Yao 
proposed a solution allowing the two millionaires to satisfy their curiosity while respecting their privacy. 
Further generalisations to Yao's problem are called multi-party computation (MPC) protocols, where 
a number of parties pi,p%,...,p n , each of which has a private data respectively x\,X2, ■ ■ ■ ,x,„ want to 
compute the value of a public function F{x\ ,X2, —,x n ). An MPC protocol is considered secure if no party 
Pi can learn more than the description of the public function, the final result of the calculation and his own 
Xj. The judges problem is just a special MPC protocol for computing a majority. The security of such kind 
of protocols can be either computational or unconditional. In most part of this paper we focus on the latter 
case. It is also of interest to derive computational solutions, as communicated with Radomirovic |[23l . For 
instance, Brandt gives [6] a general solution for securely computing disjunction and maximum for both 
active and passive attackers, base on El-Gamal encryption. Chor and Kushilevitz Q study the problem 
of computing modular sum when the inputs are distributed. Their solution is t-privately, meaning that 
no coalition of size at most t can infer any additional information. A generalisation has been made by 

11 It is also possible that a group of judges cooperate together to find out the rest judges' decisions. 
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Beimel, Nissim and Omri O recently. It would be interesting to see if these schemes can be used also for 
computing the majority function. In the appendix, we present one possible computational solution based 
on the anonymous veto networks iMTl . This solution does not take efficiency into account, while lower 
bounds on message complexity are given in (9], [2j. How to achieve a most efficient solution to securely 
compute a majority function is one of our future work. More importantly, having a formal conectness 
argument, for instance with the support of a theorem prover, is another future work. 

Recently, the population protocol model (H has emerged as an elegant computation paradigm for de- 
scribing mobile ad hoc networks, consisting of multiple mobile nodes which interact with each other to 
carry out a computation. One essential property of population protocols is that with respect to all possible 
initial configurations all nodes must eventually converge to the correct output values (or configurations). 
To guarantee that such kind of properties can be achieved, the interactions of nodes in population proto- 
cols are subject to a strong fairness — if one action is enabled in one configuration, then this action must 
be taken infinitely often in such a configuration. The fairness constraint is imposed on the scheduler to 
ensure that the protocol makes progress. In population protocols, the required fairness condition will 
make the system behave nicely eventually, although it can behave arbitrarily for an arbitrarily long pe- 
riod [fl]]. Delporte-Gallet etal. ifTTTl consider private computations in the population protocol model. The 
requirement is to compute a predicate without revealing any input to a curious adversary. They show that 
any computable predicate, including the majority function, can be made private through an obfuscation 
process. Thus, it is possible to achieve a solution to the judges problem within their framework. After 
that, we can formally model check the solution in the tool PAT |[26l . which is dedicated to deal with 
fairness conditions for population protocols. However, as discussed above the population protocol can 
only guarantee a majority eventually computed. But for agents (judges) in the protocols, they have no 
idea of when this is successfully computed. Whether this is a desirable solution of the judges problem is 
still under discussion. Moreover, we have only considered curious but honest judges. It is interesting to 
extend the available solutions to take active adversaries and/or coalition of dishonest judges into account, 
e.g., following tOU. 
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A A Computationally Anonymous Majority Function Protocol 

The idea of this protocol is partially due to Sasa Radomirovic. The functionality of the protocol relies on 
the Anonymous Veto Network lfT7l . The protocol assumes a finite cyclic group G of prime order q, and 
the judges of Jq . . .Ji n agree on a generator g of G. The values of g and q are larger enough (S> n). The 
protocol consists of three steps of computations by means of broadcast, and there are no private channels 
required. The first step (round) sets up a nonce g Ni for each judge i satisfying £/V; = 0\ q . The second step 
(which actually takes n rounds) pre-computes the n+ 1 majority values in an encrypted form of g n+i , 
g n+1 , . . -g 2n+l , which are secretly shuffled so that no judge knows which one is which. In the last step 
every judge announces his vote in a secure way, so that the final verdict will be known by every judge 
by examining whether the final result is within the set of the pre-computed values from step two. The 
protocol can be formally stated as follows. 

Step 1 Every judge /, publishes g Xi and a zero knowledge proof of x\. After that, every judge is able to 
compute 

,v v H* v ft s xj 

7=0 j=i+l 

Now for each judge i, he has g Ni = g x ' y ' satisfying ^A 7 , = (mod q), which is equivalently 

2n 
i=0 

Step 2 Let M = {n + l,n + 2, . . . ,2n + 1} be the set of majority values. Every judge 7,- generates a 
random permutation pi : M — > M. Then judge 1 computes m^.o = g k for all k € M. Subsequently, in 
the precise order from Jo to J% n , 7, announces the sequence (m n +ij,m n +2j, ■ ■ •wt2»+i,i)> where m p .^ j = 
(mkj-i) Xi for each judge Jj. Write M' for the final set {mk,2n+i}keM = {g kxiX2 "' X2 " +[ }keM- Intuitively, 
the members in M' are randomly shuffled such that no judge knows what each individual value in M' 
originally corresponds to in M. 

Step 3 Each judge i decides his vote v, € {0, 1}, and publishes n,\ = gW'+W, This requires addi- 
tional 2n rounds, and for each round r £ {2,3, . . . ,2n+ 1}, Judge 7,- takes ziQ\ r -\ where i Q 1 = i — 1 
if i > 1 and 00 1= 2n, and publishes z, r as (zie\,r-i) Xi ■ Finally we have the results as a sequence 



J. Pang & C. Zhang 45 

(z2n+l,2»+i,Zi,2«+i,Z2,2»+i,."Z2»,2»+i) such that Zi,2n+i = g( A foi+v;ei)*i*2-.-*2»+i , Every judge then can 
check if 

If yes then the final verdict is 'yes' (guilty), otherwise the final verdicit is 'no' (innocent). 



